Disk control unit

ABSTRACT

A disk control unit of a storage system stores identifies of initiators that are capable of communications with storage devices and information of the storage devices correlated with the initiators. When an initiator performs a discovery processing, the disk control unit judges based on the information correlated with the initiator whether or not the initiator accessing to a storage device is illegal, and denies the access if illegal.

BACKGROUND OF THE INVENTION:

1. Field of the Invention

The present invention relates to a security technology in computersystems.

2. Related Background Art

Nowadays, as a transmission method that realizes a storage area network(SAN), Fibre Channel-Storage Area Network (FC-SAN) that uses fibrechannel has become the main stream. Fibre channel is highly reliable andits transmission performance is very high because it uses opticalmedium.

Recently, Ethernet®, which used to fall behind fibre channel in transferperformance, has achieved much higher speed with advances in the networktechnology, and is increasingly adopted to SAN while being traded on itsunlimited connection distance, low cost and mutual connectivity. Todistinguish from FC-SAN, SAN using Ethernet ® is called IP-SAN. InternetSCSI (iSCSI) is said to be the most influential means to realize theIP-SAN.

Various devices that are connected to a network are each provided withan identifier that indicates its own identify. For example, in an IPnetwork, MAC addresses and IP addresses are used as identifiers, and ina fibre channel network, port IDs and World Wide Names (WWNs) are usedas identifiers. Also, there are cases where a management computer thatmanages identifies and assists communications between devices (hereafterreferred to as a “management server”) is provided in a network. Forexample, in an IP network, a domain name system (DNS) server manageshost names and their relation with IP addresses; and in a fibre channelsystem, a simple name server (SNS) manages WWNs and the like.

In this manner, various devices detect other devices on the network andmutually communicate through communications with a management server.Hereafter, a processing that is performed by a device to detect otherdevices on the network is called a discovery processing.

Three discovery processings (i.e., static configuration, SendTargets,and zero-configuration) in iSCSI that have been proposed are brieflydiscussed below.

(1) Static Configuration

In a static configuration, identifiers of target storage devices (IPaddresses, TCP port numbers and target device names) are allocated inadvance to an initiator. Therefore, the initiator can recognize thestorage devices without requiring a discovery processing. It is notedthat, among devices, a device that independently issues commands tosearch for other devices is called an initiator, and devices thatrespond to the commands issued by the initiator or devices whichcommunicate with the initiator are called targets.

(2) SendTargets

SendTargets are used when an initiator already knows IP addresses oftargets and TCP port numbers that are used in TCP protocol.

There are mainly two request types in SendTargets. One of them is a typethat requests identification information of all devices that arecontrolled by each target (hereafter called an “all-device request”),and the other is a type that requests identification information of onlydesignated devices (hereafter called a “device designation request”).Hereunder, a flow of a discovery processing by SendTargets is describedwith reference to FIG. 6.

First, an initiator issues a discovery request to a target (step 605).

Upon receiving the discovery request, the target reads and determinesits request type (step 610).

When the request type is an all-device request, the target includesidentification information of all devices that are controlled by thetarget in a response command, and transmits the response command to theinitiator (step 615).

When the request type is a device-designation request, the target thathas received the request includes identification information of only thedesignated devices in a response command, and returns the same to theinitiator (step 620).

Upon receiving the response command, the initiator analyzes its contentto thereby obtain the identification information of the devices that arecontrolled by the target (step 625), and starts a login processing,using the identification information, with the devices that arecontrolled by the target as new targets (step 630). When a login isaccepted, an I/O processing is started (step 635).

(3) Zero-configuration

Zero-configuration is a discovery method that uses a management server(that may be accompanied by an agent).

There are mainly two discovery methods in zero-configuration.

One of them is a method that uses Service Locator Protocol (SLP) that isalready used in an IP network. To use SLP, a dedicated program called anagent needs to be introduced into an initiator and targets. Also, byplacing a directory agent on a network, the management unit can beexpanded. When a directory agent does not exist, the agents of theinitiator and targets mutually exchange management information. When adirectory agent exists, the agent of the initiator searches for thetargets through the directory agent.

The other is a method that uses iSNS (Internet Storage Name Service). IniSNS, Simple Network Management Protocol (SNMP) for registering deviceinformation in a management server, i.e., iSNSP needs to be installed ineach of the devices. Then, at the time when device information isregistered in the management server, the management server notifiesdevices in the management unit (discovery domain) of the deviceinformation such that other devices can discover the devices whosedevice information are registered.

An effective device management in a storage network becomes possiblethrough the use of an appropriate one of the discovery methods describedabove according to particular purposes and the size of the storagenetwork.

To ensure the security in a storage system having a plurality of storagedevices, the following method is conventionally implemented. The storagesystem retains a table that associates the storage system andidentifiers of computers, which are required for the computers to loginthe storage system. The storage system compares an identifier includedin a frame that is sent from a computer with the identifiers registeredin the table, and continues processings according to instructions of theframe when there is a match; but returns a frame to refuse the receivedframe. In this manner, illegal accesses from unauthorized computers canbe prevented.

The security of SAN can be provided by the following method. A diskcontrol unit retains a record including configuration data thatidentifies storage devices accessed by each of authorized networkdevices. By using the record, the disk control unit judges whether adevice having no data access privileges is a device that is authorizedto have an access, and allows the access if the device is authorized,but denies the access if the device is not authorized.

According to the conventional technologies described above, computerscan readily login a storage system with port IDs and WWNs in FC-SAN.This is because only computers that have already logged in the networkare subject to the processing for preventing illegal accesses. SinceFC-SAN is a somewhat closed network, and has a few illegal accesses, itwas sufficient to conduct the processing to prevent illegal accessesagainst computers that had already logged in the network. However, forIP-SAN that has a broad range of connections, there are a greater numberof illegal accesses. Accordingly, it is not enough for IP-SAN to coveronly computers that have logged in the network. If the conventionaltechnology is directly applied to IP-SAN without any changes, there isan increased threat in attacks such as denial of service (DoS) attacksto the storage system. It is noted that if the former conventionaltechnology described above is mapped on iSCSI, identifiers of computersand storage devices would have iSCSI names.

SUMMARY OF THE INVENTION

The present invention relates to improvements of the security in acomputer system that uses iSCSI.

In accordance with an embodiment of the present invention, a diskcontrol unit of a storage system stores identifies of initiators thatare capable of communications with storage devices and information ofthe storage devices. When an initiator performs a discovery processing,the disk control unit judges based on the information correlated withthe initiator whether or not the initiator accessing to a storage deviceis illegal, and denies the access if illegal.

According to the present embodiment, the security is placed before astorage device (target) reveals its existence to a third party.

Other features and advantages of the invention will be apparent from thefollowing detailed description, taken in conjunction with theaccompanying drawings that illustrate, by way of example, variousfeatures of embodiments of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 schematically shows a diagram of the entire structure of acomputer system.

FIG. 2 is a flowchart of steps of discovery processing.

FIG. 3 shows a diagram of an example configuration of an authorizationdevice management table.

FIG. 4 shows a diagram of an example arrangement of logical storagedevices.

FIG. 5 shows a diagram of an example of a notification packet and aresponse packet of LUN.

FIG. 6 is a flowchart of steps of conventional discovery processing.

PREFERRED EMBODIMENTS OF THE PRESENT INVENTION

FIG. 1 schematically shows a diagram of the entire structure of acomputer system in accordance with an embodiment of the presentinvention. In the figure, software and data are indicated with ovalsencircling them.

The computer system includes initiators 105, a storage system 100, anetwork 130, communications paths 125 that connect the initiators 105and the network 130, and the storage system 100 and the network 130,respectively, and a management console 195 that is connected to thenetwork 130.

The storage system 100 includes a disk control unit 135 and a pluralityof storage devices 190. Also, the storage system 100, the disk controlunit 135 and the storage devices 190 are target devices.

The initiators 105 are devices (such as computers) that communicatemainly with the disk control unit 135. In this example, the plurality ofinitiators 105 are assigned identifiers such as A, B and C (hereafterreferred to as “initiator identifiers”) in order to distinguishthemselves from one to the other. Hereafter, the initiator 105 with theidentifier A is abbreviated as the initiator A, the initiator 105 withthe identifier B as the initiator B, and the initiator 105 with theidentifier C as the initiator C.

The initiators 105 are connected to the network 130 via thecommunications paths 125.

The storage devices 190 store data, and read the stored data asnecessary. The storage devices have one or more storage deviceidentifiers. In FIG. 1, the four storage devices are assigned storagedevice identifiers N1, N2, N3 and N4, respectively.

The disk control unit 135 includes communications interfaces 140, astorage device interface 175 for communications with the storage devices190, a CPU 180 and a memory 185.

The memory 185 stores an initiator identification part (program) 165 andan authorization device management table 170. Although the followingdescription will be made, assuming that the initiator identificationpart 165 is a program, the initiator identification part 165 can berealized by dedicated hardware. Also, the CPU 180 that executes arelevant program in effect executes processings executed by theinitiator identification part 165.

The communications interfaces 140 controls frames that are sent from theinitiators 105. The communications interfaces 140 are assignedindividually unique identifiers (for example, IF1, IF2, IF3 and IF4,which are hereafter referred to as “interface identifiers”). Theidentifiers may be composed of IP addresses, MAC addresses, TCP portnumber, or combinations of the above.

For controlling the frames, each of the communications interfaces 140analyzes frames received and divides them into control information anddata, and retrieves an initiator identifier and an interface identifierfrom the control information. Then, the communications interface 140judges if the interface identifier that is assigned to it matches theinterface identifier within the frame, and performs data processings.

In one aspect, the initiator identification part 165 uses the initiatoridentifier retrieved by the communications interface 140 to specify aninitiator 105 of the transmission source. Information that is handledwhen controlling the frame is stored in the memory 185.

When a discovery processing is requested by one of the initiators 105,the CPU 180 uses the authorization device management table 170, andexecutes the initiator identification part 165, to thereby notify theinitiator 105 of any of the storage devices 190 that is authorized tocommunicate (its details will be described with reference to FIG. 2).

The management console 195 manages devices such as the initiators 105connected to the network 130, and the storage system 100 (including thedisk control unit 135 and the storage devices 190). A systemadministrator may create an authorization device management table thatis to be maintained in the disk control unit 135 and make additions andcorrections to the authorization device management table through themanagement console 195. It is noted that the management consol 195 maybe directly connected to the disk control unit 135, as a consol thatmanages the disk control unit 135.

FIG. 3 shows a diagram of an example configuration of an authorizationdevice management table 170. INITIATOR INTERFACE IDENTIFIER 310, LUN 325and ATTRIBUTE 330 in the authorization device management table 170 inFIG. 3 will be described later. The authorization device managementtable 170 includes a plurality of entries making up a plurality offields.

INITIATOR IDENTIFIER 305 contains fields in which initiator identifiersallocated to the initiators 105 that communicate with the disk controlunit 135 are registered. In FIG. 3, values “A,” “B” and “C” registeredin fields corresponding to the respective entries correspond to theinitiator identifiers allocated to the respective initiators 105 shownin FIG. 1. A value “OTHER” registered in the last entry in the table isprovided for communications with initiators 105 that have identifiesother than the initiator identifiers allocated to the three initiators105. In other words, any initiators 105 that are covered by the entry“OTHER” correspond to those initiators that try illegal accesses, i.e.,that are not authorized to access.

AUTHORIZED INTERFACE IDENTIFIER 315 contains fields in which interfaceidentifiers of the communications interfaces 140 that communicate withthe initiators 105 are registered. Values “IF1” through “IF4” registeredin the respective entries correspond to the communications interfaces140 shown in FIG. 1. Hereafter, the interface IF1 is abbreviated as“IF1.” In the example of the illustrated embodiment, the initiator Acommunicates via IF1 and IF2 with the disk control unit 135, theinitiator B via IF3 with the disk control unit 135, and the initiator Cvia IF4 with the disk control unit 135. A communications interface 140indicated by IFx is allocated to initiators 105 corresponding to“OTHER.” However, in effect, the communications interface 140 thatcorresponds to IFx does not exist, and initiators 105 corresponding to“OTHER” cannot communicate with the disk control unit 135.

AUTHORIZED STORAGE DEVICE IDENTIFIER 320 contains fields in whichstorage device identifiers of storage devices with which the initiators105 can communicate via the communications interfaces 140. Values “N1”through “N4” registered in the respective entries correspond to thestorage devices shown in FIG. 1, respectively. Hereafter, the storagedevice N1 is abbreviated as N1, the storage device N2 as N2, the storagedevice N3 as N3, and the storage device N4 as N4.

FIG. 3 indicates that the initiator A can communicate via IF1 and IF2with N1, the initiator B via IF3 with N1, and the initiator C via IF4with N2. Although a storage device 104 indicated as Nx is allocated toother initiators 105, such a storage device 104 corresponding to Nx doesnot in effect exist. It is noted that any communications interface orstorage device may not particularly be allocated to initiators 105 thatcorrespond to OTHER. In this case, a rejection processing to each accesswill be conducted.

In this manner, by setting IFx as an interface identifier of acommunications interface that does not exist in the disk control unit,and Nx as a storage device identifier of a storage device that does notexist, the storage system 100 can shut out communications withinitiators 105 that are not registered in the authorization devicemanagement table 170.

In this embodiment example, plural initiator identifiers designateplural initiators 105, respectively. However, for example, a pluralityof initiators 105 may be designated together by one identifier by usinga subnet address in IP addresses. In this case, one communicationsinterface and one storage device can be readily allocated to a pluralityof initiators 105.

The authorization device management table 170 may be created by a systemadministrator at the management console 195, and transferred by themanagement console 195 to the disk control unit 135. Alternatively, onlydata may be inputted at the management console 195, and the data may beregistered in an authorization device management table 170 that has beencreated in advance at the disk control unit 135. The data of theauthorization device management table 170 that have been oncetransferred can be additionally changed or corrected through themanagement console 195. When the management console 195 retainsinformation relating to initiators 105 on the network and storage system100 (IP addresses, port numbers, target device names, etc.), appropriateinformation is selected from among the stored information, andregistered in the authorization device management table 170. When noinformation is retained at the management console 195, a systemadministrator may manually register necessary information.

FIG. 2 is a flowchart of steps of a discovery processing.

First, one of the initiators 105 issues to the disk control unit 135 adiscovery request for discovering storage devices 104 that are connectedto the disk control unit 135 (step 205). This request includes aninitiator identifier of the initiator 105 that issued the request and arequest type. Further, in the case of a device designation request, therequest includes identifiers of target storage devices 104 to beaccessed.

Upon receiving the discovery request, the disk control unit 135retrieves the initiator identifier from the request, and searches theauthorization device management table 170 to determine if the receivedinitiator identifier is registered in the authorization devicemanagement table 170 (step 210). If not registered, the disk controlunit 135 returns to the request source initiator 105 an authorizedinterface identifier (IFx) corresponding to “OTHER” and an identifier(Nx) of a storage device 104 in the authorization device managementtable 170 (step 220).

In this case, upon receiving IFx and Nx, the initiator 105 transmits tothe disk control unit 135 Nx as an identifier indicating the storagedevice 104. When the disk control unit 135 receives this identifier, thedisk control unit 135 may repeat a response such as “No communicatableinterface exists” or the like, or may not respond at all. As a result,initiators 105 that are not authorized by the disk control unit 135cannot communicate with the disk control unit 135. In other words,illegal accesses can be prevented.

If the disk control unit 135 rejects connections to discovery requestsfrom initiators 105 corresponding to “OTHER” in step 220, illegalaccesses from such illegal initiators 105 can be prevented in an earlierstage.

When it is determined in step 210 that the received initiator identifieris registered, the disk control unit 135 obtains an authorized interfaceidentifier and an authorized storage device identifier corresponding tothe received initiator identifier from the authorization devicemanagement table 170, and transmits information of these identifiers tothe request source initiator 105 (step 225).

Based on the interface identifier and the storage device identifier sentfrom the disk control unit 135, the request source initiator 105 issuesa login command to a communications interface 140 of the disk controlunit 135 corresponding to the received interface identifier. Uponreceiving the login command, the disk control unit 135 conducts a loginprocessing such as an authorization processing, and startscommunications with the initiator 105 (step 230).

When the login processing is completed, the initiator 105 confirmsconditions of the storage device 104 that can be used by the initiator105 itself The processing to confirm conditions include, for example, aprocessing that obtains information unique to supply sources of theproduct, such as, the name of product supply source, product model andversion, logical block addresses, capacity, and the like, a processingto investigate whether the storage device 104 is in an usable state, andthe like (step 235).

After confirming that the storage device is normal, the initiator 105can send SCSI commands (step 240). Thereafter, steps 205, 235 and 240are repeated as necessary.

By the processing described above, only those of the initiators 105 thatare authorized by the disk control unit 135 can receive information ofthose of the storage devices 104 that can be used by them, whereby ahigher security can be ensured.

In the embodiment example, the description has been made assuming thatthe physical storage devices 104 are targets. However, in an actualstorage system, there are cases where physical storage devices arevirtually handled as a plurality of logical storage devices (hereafterreferred to as “logical units”), or a plurality of physical storagedevices are handled as a single logical unit. The present inventiondescribed above can also be applied to such cases.

More specifically, the storage device identifiers (for example, N1 andthe like) allocated to physical storage devices 104 in the embodimentdescribed above are allocated to logical units described above. When thedisk control unit 135 receives a SendTarget request from an initiator105 (for example, an initiator A), the disk control unit 135 returns tothe initiator A storage device identifiers allocated to logical unitsthat can be used by the initiator A. By this, the initiator A canrecognize specified ones of the logical units, and can performsucceeding operations such as sending a login command and the like.

Accesses by initiators to logical units can be more finely controlled.One embodiment example to finely control initiators' accesses to logicalunits is described below.

In the present embodiment, storage device identifiers are assigned tophysical storage devices 104 or logical units. An initiator 105 (forexample, the initiator A) completes processings up to the loginprocessing according to the procedure described above. Then, theinitiator A issues to a target that can be accessed by the initiator Aitself a command (communications packet) to request a list of logicalunits (hereafter referred to as “LUs”) of the target (more specifically,logical unit numbers (hereafter referred to as “LUNs”)). In terms ofSCSI, such a command corresponds to ReportLUNs.

Upon receiving the command, the disk control unit 135 extracts from theauthorization device management table 170 only LUs that the initiator Ais authorized to access among LUs included in the target that theinitiator A has been authorized to access in the SendTarget processing,and transmits to the initiator A the extracted information as a list ofLUNs.

When the initiator A receives the list, the initiator A performs anactual input/output processing using only the LU included in thereceived list. As a result, communications with LUs that are unrelatedto the initiator A are not required, and therefore the network load isalleviated. Also, even if an unauthorized initiator logs in, theescalation of possible damages can be prevented because the usablelogical units are limited and other logical units are not affected.

The present embodiment will be described in greater details.

FIG. 4 shows a diagram of an example arrangement of logical storagedevices. Two storage devices 104 are viewed by each initiator 105 asfour LUs (L0-L3) as shown in FIG. 4. In effect, the disk control unit135 has a logical-physical conversion table, and the disk control unit135 performs an address conversion between the storage devices 104 andLUs using the logical-physical conversion table to provide the initiator105 with the LUs.

In FIG. 4, L0, L1, L2 and L3 are LUNs, which correspond to the valuesregistered at LUN 325 in FIG. 3. Hereafter, LUN “L0” is abbreviated asL0, LUN “L1” as L1, LUN “L2” as “L2” and LUN “L3” as L3. FIG. 3indicates that the initiator A can communicate via IF1 and IF2 with L0of N1, the initiator B via IF3 with L1 of N1, and the initiator C viaIF4 with L3 of N2. Also, in the case of LUN 325, a non-existing Lx isdefined for initiators having identifiers other than the initiatoridentifiers “A,” “B” and “C.”

INITIATOR INTERFACE IDENTIFIER 310 contains fields in which initiatorinterface identifiers, i.e., identifiers that are allocated tocommunications interface sections between the initiators 105 and thenetwork 130 they have are registered. In this embodiment example, it isassumed that I1 is allocated to the initiator A, I2 to the initiator B,13 to the initiator C, and Ix (actually in capable of communications) toother initiators.

It is noted that the initiator interface identifiers do not need to beregistered at the time the authorization device management table 170 isset. Instead, when initiator identifiers are determined (morespecifically, when a discovery request is received), initiator interfaceidentifiers that are sent together with the request may be retrieved andset.

FIG. 5 shows a request packet and a response packet of a LUN that iscapable of communicating with an initiator 105 after a login processingis completed. FIG. 5 shows an example of request packet and responsepacket in communications that take place between the initiator A and thedisk control unit 135.

The initiator A issues a command (a communications packet) 810 thatrequests a list of LUNs that the disk control unit 135 has. OPERATIONCODE 815 in the command 810 indicates the type of the command. RESERVE820 (and 830) indicates a region that is reserved in advance. ALLOCATIONLENGTH 825 indicates the length (number of bytes) of data that can betransferred to the initiator A. CONTROL BYTE 835 indicates whethercommands are continuously issued.

In this embodiment example, it is assumed that information of aninitiator identifier “A” is sent with this command 810.

After receiving the command 810, the disk control unit 135 searches foran LUN in the authorization device management table 170, whichcorresponds to “A” (L0 in the example shown in FIG. 3), and embeds thesearched LUN in a response command.

When a determination cannot be made with the initiator identifier A, thedisk control unit 135 can make a determination with an initiatorinterface identifier of the transmission source. In this case, the diskcontrol unit 135 searches for an LUN in the authorization devicemanagement table 170, which corresponds to the initiator interfaceidentifier, and embeds information of the LUN in a response command tothe initiator 105.

In FIG. 5, reference numeral 840 denotes a response (response packet)command that is sent in response to the command 810. LUN LIST LENGTH 845in the response 840 indicates the length of data (number of bytes) of alist of LUNs, which can be transferred to the initiator. RESERVE 850indicates a region that is reserved in advance. LUN REGION 855 registersinformation indicating an LUN corresponding to the initiator A (L0 inthis example).

In this manner, the disk control unit 135 can notify each specifiedinitiator 105 of LUNs of those of the storage devices 104 that arecapable of communicating with the initiator 105. In other words, forexample, in an environment where the storage system 100 is shared bydepartments, branch offices and the like, the storage devices 104 can beallocated to each of the departments and branch offices. Furthermore,LUs can be set in the notification such that finer regions can beallocated to the specified initiator 105 while ensuring the security ofthe storage system.

More specifically, for example, in FIG. 4, storage devices (or LUs) thatare assigned N1 can be allocated as a target that can be accessed bycomputers (initiators) used in a department of a corporation, andfurther each LU included in N1 can be independently allocated tolower-level groups below the department. In this case, LUs allocated tocomputers (initiators) that are used by the lower-level groups maydiffer from one to the other, but these LUs are all included in N1, inother words, the storage regions can be hierarchically allocated.

Next, a method to use values registered in ATTRIBUTE 330 in FIG. 3 willbe described.

ATTRIBUTE 330 contains a field that provides each LU with reading orwriting attribute. A value “RW” registered in the field indicates thatdata reading and writing is possible, and a value “RO” indicates thatdata reading is possible. Also, other types of attributes may be definedand set in ATTRIBUTE.

When notifying an initiator, an appropriate attribute may be embedded ina response that is sent in response to Inquiry command in SCSI. Aninitiator 105 that is notified of the attribute transmits to a relevantlogical unit only I/Os corresponding to the attribute, for example, onlyread commands if the notified attribute is RO.

The storage devices 190 may often use magnetic media. However, thestorage devices 190 may be devices that use other media such as opticalmedia. Also, the programs described in the present embodiment can betransferred from a storage medium such as CD-ROMs or the like, ordownloaded via a network from other devices.

While the description above refers to particular embodiments of thepresent invention, it will be understood that many modifications may bemade without departing from the spirit thereof The accompanying claimsare intended to cover such modifications as would fall within the truescope and spirit of the present invention.

The presently disclosed embodiments are therefore to be considered inall respects as illustrative and not restrictive, the scope of theinvention being indicated by the appended claims, rather than theforegoing description, and all changes which come within the meaning andrange of equivalency of the claims are therefore intended to be embracedtherein.

1. A disk control unit that is connected to a plurality of computers anda plurality of storage devices, the disk control unit comprising: aplurality of communications interfaces for communicating with theplurality of computers; a storage device interface for communicatingwith the plurality of storage devices; a memory that stores a firstidentifier that uniquely identifies each computer that is authorized tocommunicate with at least one of the storage devices; a module thatreceives a request sent from one of the computers during a discoveryphase of iSCSI to find a target storage device to be communicated withthe one of the computers; and a module that gives an accessauthorization to the one of the computers based on an identifier of theone of the computers included in the request and the first identifier.2. A disk control unit according to claim 1, wherein the memory stores asecond identifier correlated with the first identifier, which uniquelyidentifies each computer that is authorized to communicate with at leastone of the storage devices, further comprising a module that performs acomparison between the identifier of the one of the computers includedin the request and the first identifiers; and a module that notifies theone of the computers of the second identifier according to thecomparison.
 3. A disk control unit according to claim 2, wherein thememory stores an identifier other than the first identifier, foridentifying computers that are not authorized to communicate with thestorage devices.
 4. A disk control unit according to claim 3, furthercomprising a module that notifies the one of the computers of the otheridentifier other than the first identifier when the identifier of theone of the computers included in the request is different from the firstidentifier.
 5. A disk control unit according to claim 3, furthercomprising a module that rejects the request when the identifier of theone of the computers included in the request is different from the firstidentifier.
 6. A disk control unit according to claim 2, wherein thememory stores interface identifiers for identifying interfaces of thecomputers.
 7. A disk control unit according to claim 2, furthercomprising a module that defines a plurality of storage devices as asingle storage device, assigns one identifier to the single storagedevice, and allocates the single storage device to the computers.
 8. Adisk control unit according to claim 2, wherein the memory storesattributes of the storage devices, each correlated with the secondidentifier, further comprising a module that notifies the at least onecomputer of at least one of the attributes with the second identifier.9. A method for controlling a disk control unit that is connected to aplurality of computers and a plurality of storage devices, the diskcontrol unit including a plurality of communications interfaces forcommunicating with the plurality of computers, and a storage deviceinterface for communicating with the plurality of storage devices, themethod comprising the steps of: storing a first identifier that uniquelyidentifies each computer that is authorized to communicate with at leastone of the storage devices via the storage device interface; storinginterface identifiers for identifying each of the plurality ofcommunications interfaces that communicate with the plurality ofcomputers; receiving a send-target request sent from one of thecomputers to send identification information of a target storage deviceto be communicated with the one of the computers; and giving an accessauthorization to the one of the computers based on the interfaceidentifier and an identifier of the one of the computers included in thesend-target request and the first identifier.
 10. A method according toclaim 9, further comprising the steps of storing a second identifiercorrelated with the first identifier, which uniquely identifies eachcomputer that is authorized to communicate with at least one the storagedevices, and performing a comparison between the identifier of the oneof the computers included in the request and the first identifiers, andnotifying the one of the computers of the second identifier according tothe comparison.
 11. A method according to claim 10, further comprisingthe step of storing an identifier other than the first identifier, foridentifying computers that are not authorized to communicate with thestorage devices.
 12. A method according to claim 11, further comprisingthe step of notifying the one of the computers of the other identifierother than the first identifier when the identifier of the one of thecomputers included in the request is different from the firstidentifier.
 13. A method according to claim 11, further comprising thestep of rejecting the request when the identifier of the one of thecomputers included in the request is different from the firstidentifier.
 14. (cancelled)
 15. A method according to claim 10, furthercomprising the step of defining a plurality of storage devices as asingle storage device, assigning one identifier to the single storagedevice, and allocating the single storage device to the computers.
 16. Amethod according to claim 10, further comprising the step of storingattributes of the storage devices, each correlated with the secondidentifier, and the step of notifying the at least one computer of atleast one of the attributes with the second identifier.
 17. A programthat renders a computer to control a disk control unit that is connectedto a plurality of computers and a plurality of storage devices, the diskcontrol unit including a plurality of communications interfaces forcommunicating with the plurality of computers, a storage deviceinterface for communicating with the plurality of storage devices, and amemory that stores a first identifier that uniquely identifies eachcomputer that is authorized to communicate with at least one of thestorage devices, the program comprising: a section of receiving arequest sent from one of the computers during a discovery phase of iSCSIto find a target storage device to be communicated with the one of thecomputers; a section for retrieving interface identifiers foridentifying each of the plurality of communications interfaces; and asection of giving an access authorization to the one of the computersbased on the communications interface identifier and an identifier ofthe one of the computers included in the request and the firstidentifier.
 18. A program according to claim 17, wherein the memorystores a second identifier correlated with the first identifier, whichuniquely identifies each computer that is authorized to communicate withat least one the storage devices, the program further comprising asection of performing a comparison between the identifier of the one ofthe computers included in the request and the first identifiers, and asection of notifying the one of the computers of the second identifieraccording to the comparison.
 19. A program according to claim 18,wherein the memory stores an identifier other than the first identifier,for identifying computers that are not authorized to communicate withthe storage devices, the program further comprising a section ofnotifying the one of the computers of the other identifier other thanthe first identifier when the identifier of the one of the computersincluded in the request is different from the first identifier.
 20. Aprogram according to claim 18, wherein the memory stores an identifierother than the first identifier, for identifying computers that are notauthorized to communicate with the storage devices, the program furthercomprising a section of rejecting the request when the identifier of theone of the computers included in the request is different from the firstidentifier.
 21. A program according to claim 18, wherein the memorystores interface identifiers for identifying interfaces of thecomputers, the program further comprising a section of defining aplurality of storage devices as a single storage device, assigning oneidentifier to the single storage device, and allocating the singlestorage device to the computers.
 22. A program according to claim 18,wherein the memory stores attributes of the storage devices, eachcorrelated with the second identifier, the program comprising a sectionof notifying the at least one computer of at least one of the attributeswith the second identifier.
 23. A disk control unit that is connected toa plurality of computers and a plurality of storage devices, the diskcontrol unit comprising: a plurality of communications interfaces forcommunicating with the plurality of computers; a storage deviceinterface for communicating with the plurality of storage devices; amemory that stores a first identifier that uniquely identifies eachcomputer that is authorized to communicate with at least one of thestorage devices and a second identifier correlated with the firstidentifier, the second identifier uniquely identifying the each computerthat is authorized to communicate with at least one of the storagedevices; a first module that receives a send-target request sent fromone of the computers to send identification information of a targetstorage device to be communicated with the one of the computers; asecond module that gives an access authorization to the one of thecomputers based on an identifier of the one of the computers included inthe send-target request and the first identifier; a third module thatperforms a comparison between the identifier of the one of the computersincluded in the send-target request and the first identifiers; and afourth module that notifies the one of the computers of the secondidentifier according to the comparison.
 24. A disk control unitaccording to claim 23, wherein the fourth module sends theidentification information with the second identifier to the one of thecomputers if the one of the computers is authorized by the secondmodule; wherein the first module receives a login request, whichrequests to log in the target storage device by using the identificationinformation and the second identifier sent from the one of thecomputers.
 25. A disk control unit that is connected to a plurality ofcomputers and a plurality of storage devices, the disk control unitcomprising: a plurality of communication interfaces for communicatingwith the plurality of computers; a storage device interface forcommunicating with the plurality of storage devices; a memory thatstores a first identifier that uniquely identifies each computer that isauthorized to communicate with at least one of the storage devices; afirst module that receives a send-target request sent from one of thecomputers to send identification information of a target storage deviceto be communicated with the one of the computers; and a second modulethat gives an access authorization to the one of the computers based onan identifier of the one of the computers included in the send-targetrequest and the first identifier; wherein the first module sends theidentification information to the one of the computers if the one of thecomputers is authorized by the second module, and receives a loginrequest, which requests to log in the target storage device by using theidentification information sent from the one of the computers after theone of the computers is authorized by the second module.